{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# T1115 - Clipboard Data",
    "\n",
    "Adversaries may collect data stored in the clipboard from users copying information within or between applications. \n\nIn Windows, Applications can access clipboard data by using the Windows API.(Citation: MSDN Clipboard) OSX provides a native command, <code>pbpaste</code>, to grab clipboard contents.(Citation: Operating with EmPyre)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Atomic Tests"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "#Import the Module before running the tests.\n# Checkout Jupyter Notebook at https://github.com/haresudhan/TheAtomicPlaybook to run PS scripts.\nImport-Module /Users/0x6c/AtomicRedTeam/atomics/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1 - Force"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #1 - Utilize Clipboard to store or execute commands from\nAdd data to clipboard to copy off or execute commands from.\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\ndir | clip\necho \"T1115\" > %temp%\\T1115.txt\nclip < %temp%\\T1115.txt\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1115 -TestNumbers 1"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #2 - Execute Commands from Clipboard using PowerShell\nUtilize PowerShell to echo a command to clipboard and execute it\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `powershell`\n```powershell\necho Get-Process | clip\nGet-Clipboard | iex\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1115 -TestNumbers 2"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Detection",
    "\n",
    "Access to the clipboard is a legitimate function of many applications on an operating system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Shield Active Defense\n### Decoy Content  \n Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc. \n\n Decoy Content is the data used to tell a story to an adversary. This content can be legitimate or synthetic data which is used to reinforce or validate your defensive strategy. Examples of decoy content are files on a storage object, entries in the system registry, system shortcuts, etc.\n#### Opportunity\nThere is an opportunity to introduce data to an adversary to influence their future behaviors.\n#### Use Case\nA defender can insert into a system's clipboard decoy content for the adversary to find. \n#### Procedures\nCreate directories and files with names and contents using key words that may be relevant to an adversary to see if they examine or exfiltrate the data.\nSeed a file system with content that is of no value to the company but reinforces the legitimacy of the system if viewed by an adversary."
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": ".NET (PowerShell)",
   "language": "PowerShell",
   "name": ".net-powershell"
  },
  "language_info": {
   "file_extension": ".ps1",
   "mimetype": "text/x-powershell",
   "name": "PowerShell",
   "pygments_lexer": "powershell",
   "version": "7.0"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}